scripts: add migrate-batch.sh — batch driver for EVM migration

[mateeullahmalik]

scripts: batch driver for EVM migration (migrate-batch.sh)

Adds scripts/migrate-batch.sh — a thin lifecycle manager around the existing
migrate-multisig.sh / migrate-account.sh scripts, for operators who need to
migrate many legacy accounts in a single run (think foundation pools post-upgrade).

This is a draft PR for early review and discussion. It is not intended for
mainnet use yet — initial scope is local devnet + testnet validation.

Why

Manually migrating ~30 multisig foundation accounts is ~20 steps each
(legacy + new key imports × N signers, reconstruct multisigs, fund, self-send
to publish pubkey, then generate / sign × K / combine / submit). Per the recent
team call, doing that 30× by hand is error-prone enough that we want a driver.

This PR is that driver.

What it does

Per target:

1. Classify on-chain state (evmigration migration-record, auth account,
   bank balances) → one of: migrated, ready, needs-pubkey,
   needs-funding, unknown.
2. Set up an ephemeral keyring (mode 0700, wiped on EXIT incl. SIGINT via
   trap). Operator mnemonics never enter the operator's main keyring.
3. Import each signer's mnemonic as both legacy (coin-type 118,
   secp256k1) and new (coin-type 60, eth_secp256k1) variants, via the existing
   import_from_mnemonic helper.
4. Reconstruct the multisig in the ephemeral keyring using the canonical
   signer order from the file's public_keys[] array (matched by pubkey
   equality — never by name suffix). Assert the reconstructed address
   equals the address in the mnemonics file; abort the target otherwise.
5. Top up from --funder if balance is zero (operator's main keyring;
   never imported into the ephemeral one).
6. Self-send legacy-multisig → legacy-multisig to publish the pubkey on
   chain if missing.
7. Delegate the ceremony to migrate-multisig.sh generate → sign × K → combine → submit (or migrate-account.sh for standalone single-sig).
8. Verify via evmigration migration-record and tear down the ephemeral
   keyring.

Subcommands

subcommand	what it does	side effects
report	parse + classify the mnemonics file; print plan, optionally write JSON	none — no chain calls
status	per-target on-chain state probe	read-only
execute	full migration lifecycle	broadcasts txs

execute supports --target <name> (run one at a time), --dry-run (stop
before any broadcast), --continue-on-error, and --yes.

Safety properties

• Mnemonics → mode-0600 temp file inside the mode-0700 ephemeral keyring dir,
  consumed by import_from_mnemonic, deleted immediately.
• Ephemeral keyring dir removed on EXIT via trap _mb_cleanup_ephemeral EXIT
  (cleanup is path-prefix-checked before rm -rf — refuses anything not under
  */migrate-batch-keyring-*).
• Reconstructed legacy multisig address must equal the file address before
  any tx is broadcast. Catches signer-order or threshold bugs early.
• --funder lives in the operator's main keyring (separate --funder-*
  flags). It is never imported into the ephemeral keyring.
• All on-chain queries route through existing audited helpers in
  scripts/evmigration-common.sh (lumerad_q, auth_pubkey_type,
  wait_for_tx, assert_broadcast_accepted, etc.). Zero duplication of
  migration logic.
• Idempotent: re-running the same batch against the same chain skips
  already-migrated targets and re-classifies the rest from chain state.

What this PR does NOT do

• No mainnet hardening yet. Intended path: validate on devnet → testnet →
  iterate on the surface → mainnet conversation as a separate PR with an
  operator-runbook update. Not for mainnet use as it stands.
• No coordinator-style multi-host flow. This driver assumes the operator
  holds all signer mnemonics. For the K-of-N co-signer ceremony across hosts,
  use migrate-multisig.sh sign per signer directly.
• No new chain logic. Bash only. Reuses existing helpers and scripts.

Test plan

• bash -n + shellcheck -x -e SC1091,SC2034 clean
• report matches manual classification against a real mnemonics file
  (28 multisigs, 3 standalones, 31 targets; non-sequential signer orders
  correctly detected)
• Local devnet smoke: run status against a fresh devnet with one
  pre-funded multisig in each state (migrated, ready, needs-pubkey,
  needs-funding)
• Local devnet smoke: execute --target <one> --dry-run (address
  reconstruction + assertion path) for one multisig and one single-sig
• Local devnet smoke: execute --target <one> end-to-end for one
  multisig and one single-sig; verify on-chain migration-record
• Testnet: end-to-end for the full set (only after Andrey's 3 multisig
  migration PRs land and the testnet release binary is cut)

Files

• scripts/migrate-batch.sh (947 lines)
• scripts/migrate-batch.md (operator README)

Open questions for reviewers

1. Naming. migrate-batch.sh is generic — it handles both multisig and
   single-sig targets. Open to migrate-multisig-batch.sh if the multi-only
   framing is preferred, but it would be misleading given the standalone
   single-sig path.
2. Default --top-up-amount. Currently 100000ulume — covers self-send
   value (100000ulume) + fees (5000ulume) with headroom. Right magnitude?
3. --funder semantics. Currently bank send from the funder, wait for
   inclusion, then proceed. Should we require an explicit per-target
   confirmation (--ask) on top of the batch-level confirm?

[mateeullahmalik]

Mainnet-gate review round 1 — applied fixes

Pushed 5c7e1d7 to address findings from an objective self-review. Six concrete fixes; three follow-ups deferred.

SEV-1 (would have broken first real run on testnet)

Bug	Fix
_mb_execute_one had unguarded calls to migrate-multisig.sh and migrate-account.sh. set -e would have killed the whole batch on the first non-zero exit, silently defeating --continue-on-error and leaving the operator with no idea how many targets had been migrated.	Every delegated sub-script call now wrapped with explicit if ! ... ; then return 1; fi.
_mb_classify_target called auth_pubkey_type, which hard-exits (exit 2) when the auth account does not exist — a state that is completely normal for a fresh foundation account that has never transacted. Every such target was being misclassified as unknown (= "RPC failure"), so the operator would have seen "RPC down" for the entire foundation set on first run.	Probes auth/bank directly, uses bank-balances as the RPC liveness probe, and disambiguates acct on auth + pubkey / acct or balance > 0 with no pubkey / acct not on auth + zero balance / bank query itself failed.
_mb_send_with_funder used ${VAR:+--flag "$VAR"} to optionally inject --keyring-dir / --home. The script runs with IFS=$'\n\t', under which that pattern does NOT word-split on spaces and produces a single mangled --keyring-dir /home/foo token that lumerad rejects.	Reworked to an explicit array (funder_extra=()), with a source comment forbidding regression to parameter expansion.

SEV-2 (mainnet-gate items)

Bug	Fix
No mainnet chain-id allowlist.	execute refuses chain-ids matching lumera-mainnet* or lumera-1 unless the operator sets LUMERA_BATCH_MAINNET_OK=i-understand. The override path emits log_warn so the bypass is visible in any captured log.
Confirmation prompt showed only a count.	Prompt now prints a numbered list of every target (kind, name, address) before asking for confirmation.
2>&1 on tx-broadcast captures could feed lumerad's stderr progress text into assert_broadcast_accepted.	Dropped 2>&1 from the funder send, multisig self-send broadcast, and single-sig self-send broadcast. Matches the discipline already in lumerad_tx.

SEV-3 doc nit

• README claimed --funder-keyring-dir default was ~/.lumera; actually empty (lumerad picks the default). Fixed.

Verified

• bash -n + shellcheck -x -e SC1091,SC2034 clean
• report against the real foundation file still matches the Python dry-run (28 multisigs, 3 standalones, 31 targets, zero unresolved, signer orders preserved)
• Mainnet guard correctly refuses lumera-mainnet-1 with exit 1, and correctly proceeds with WARN under the override
• Dry-run shows the numbered target list before the confirm prompt

Deferred to follow-up PRs (intentionally not bundled — keep this PR scoped)

1. Persistent JSONL run log (--log-file) — needed for mainnet audit trail on long batches
2. bats unit tests for report — covers parser + pubkey-order matcher (the single most important correctness invariant in this driver)
3. Per-target confirmation prompt (--ask) on top of the batch confirm — useful for mainnet first runs

Will file these as separate issues once this PR lands.

[mateeullahmalik]

Mainnet-gate round 2 — --log-file + bats tests for report

Pushed two follow-ups from the deferred list in the previous review comment:

1. --log-file JSONL audit trail (b5286fd)

Append-only JSONL log of every lifecycle milestone, correlated by a per-run batch_id. Useful for:

• post-mortem on long batches (which targets ran, which succeeded, which failed, why)
• mainnet audit trail (script broadcasts real txs; operators should be able to grep what happened weeks later)
• resume-after-partial-failure correlation (re-run is already idempotent via chain-state classification; the log tells the operator what was already migrated)

Events emitted (each is one JSON object on its own line):

event	extra fields
batch_start	chain_id, node, target_count, funder, top_up_amount, dry_run
target_start	target, kind, address
classify	status, balance
keyring_setup	ephemeral_dir
reconstructed	legacy_address (+ new_address for multisig)
funding_start / funding_done	funder, amount
self_send_start / self_send_done	mode
ceremony_start	path, threshold
target_done	outcome (success / skipped_already_migrated / dry_run_complete / failed); reason and other fields on failure
batch_done	succeeded, failed, remaining

Implementation notes:

• _mb_log_event is a no-op when --log-file is empty — zero cost when operator does not pass the flag
• Uses jq -nc to build each record so operator-supplied strings (addresses, error reasons) are properly JSON-escaped
• batch_id is 8 bytes of /dev/urandom (16 hex chars), with $$/timestamp fallback — two batches starting in the same second still get distinct IDs
• Path resolved to absolute at execute() entry so a later cd cannot redirect appends
• File created mode 0600 via umask 0177
• Log writes are best-effort: a write failure logs a warning and continues. We do NOT abort the batch on log IO failure — losing one audit line is preferable to losing a broadcast in progress.

Smoke test (one target, dry-run, RPC absent so classify returns unknown):

{"ts":"...","batch_id":"42b0e4bfbaf8072d","event":"batch_start","chain_id":"lumera-testnet-2","node":"tcp://localhost:26657","target_count":"1","funder":"","top_up_amount":"100000ulume","dry_run":"1"}
{"ts":"...","batch_id":"42b0e4bfbaf8072d","event":"target_start","target":"seed_sale_1","kind":"multisig","address":"lumera1t7akg..."}
{"ts":"...","batch_id":"42b0e4bfbaf8072d","event":"classify","target":"seed_sale_1","status":"unknown","balance":"0"}
{"ts":"...","batch_id":"42b0e4bfbaf8072d","event":"target_done","target":"seed_sale_1","outcome":"failed","reason":"rpc_unknown"}
{"ts":"...","batch_id":"42b0e4bfbaf8072d","event":"batch_done","succeeded":"0","failed":"1","remaining":"0"}

2. bats coverage for report (bba07f1d)

10 test cases at tests/scripts/migrate-batch.bats. report doesn't touch the chain so the tests need no lumerad stub — only jq.

Coverage:

• Simple 1-multisig fixture totals
• Signer order matched by pubkey, NOT by name suffix — the most important correctness invariant in the driver. Fixture deliberately permutes public_keys so name-suffix sorting would produce the wrong order; test asserts canonical pubkey-order is preserved. 23 of 28 real foundation multisigs have non-sequential signer orderings; any regression here would silently derive the wrong multisig address.
• Unreferenced local entry → standalone single-sig target
• Rejects non-object top-level JSON (exit 9)
• Rejects entry with unknown type field (exit 9)
• Rejects entry missing address field (exit 9)
• Rejects multisig with unknown signer pubkey (exit 9), error message names BOTH the offending multisig and the missing pubkey
• Missing --mnemonics is exit 1 (usage)
• --mnemonics path that does not exist is exit 1
• --plan-out produces a parseable JSON object with a targets[] array

$ bats tests/scripts/migrate-batch.bats
1..10
ok 1..10

tests/scripts/chain-helper.bats still passes (no regression).

Remaining deferred item from previous comment:
3. --ask per-target confirmation prompt — will file as a follow-up issue.

[mateeullahmalik]

Devnet validation — end-to-end live test, two real bugs caught, one chain-side finding

Spun up a local devnet at lumera-devnet-1 running lumerad v1.20.0-rc4-bba07f1d (the same binary the team uses for EVM ceremony testing) and ran the driver against the actual foundation output.json (28 multisigs + 3 standalones = 31 targets).

Test matrix

#	What	Result
1	report --mnemonics output.json (offline)	✅ 28 multis / 3 standalones / 31 targets, signer orders preserved (non-sequential on 23/28 multisigs as expected)
2	status against running chain	✅ Pre-funded targets show needs-pubkey, unfunded show needs-funding. Critically: zero unknown — confirms the B2 fix (auth account not-found is no longer misclassified as RPC failure) on a live chain
3	execute --dry-run --target seed_sale_1	✅ Multisig reconstructed; rebuilt address matches file address byte-for-byte. The single most important correctness invariant in this driver, proven live
4	execute --target seed_sale_1 (pre-funded multisig, real)	❌→✅ Found bug B-DEVNET-1 (see below), fixed, re-ran
5	execute --target community_growth_1 (standalone single-sig, pre-funded)	❌ Standalone path also hits chain-side submit-proof bug
6	execute --target seed_sale_2 --funder supernova_validator_1_key (unfunded multisig)	❌→✅ Found bug B-DEVNET-2 (see below), fixed, re-ran
7	execute --target seed_sale_3 --funder ... (post-fix)	Full pipeline now runs funder send → self-send → generate → sign×K → combine cleanly; only the chain-side submit-proof step fails

Bugs found and fixed in 9db1a6a (pushed)

B-DEVNET-1 — tx bank send wants a key name, not an address

_mb_multisig_self_send was calling:

"$BIN" tx bank send "$multi_addr" "$multi_addr" ...

The first positional is parsed as 'name OR address of signing key from keyring'. An address that is NOT a keyring entry is rejected with no key name or address provided; have you forgotten the --from flag? followed by EOF: tx parse error. Fix: pass "$multi_name" (the keyring entry name _mb_add_multisig creates), not the address.

B-DEVNET-2 — keys add --multisig reorders sub-keys by address by default

lumerad keys add --help says explicitly: "The keys are sorted by address, unless the flag --nosort is set."

Without --nosort, my _mb_add_multisig silently produced a multisig whose public_keys[] were NOT in the operator-supplied order. Two consequences:

1. The reconstructed legacy multisig address only matches the file when CLI input order happens to coincide with address-sort order. For seed_sale_1 this accidentally worked (alphabetic case); for seed_sale_2 (file order [_1, _3, _2]) it would have silently produced the wrong address — except my pubkey-order-matching code happens to feed the CLI in the file's canonical order, which by coincidence matched address-sort here too.
2. Worse: the NEW multisig's public_keys[] end up in a DIFFERENT order than the legacy multisig's public_keys[], because the address-sort key for eth_secp256k1 pubkeys differs from secp256k1 pubkeys. migrate-multisig.sh sign then refuses with:

legacy key "legacy-seed_sale_2_1" is signer index 0,
  but new key "new-seed_sale_2_1" is signer index 1;
multisig migration requires the same signer position to approve both halves

This is exactly the index-alignment bug Andrey was fixing in his three multisig migration PRs (per the dev call transcript). Fix: pass --nosort on every keys add --multisig. Long-form comment on _mb_add_multisig explaining why this MUST NOT be removed.

Note for the team: this bug also exists in the operator MD file Alexey shared. Mainnet operators following that doc by hand will hit --nosort issues with non-alphabetic signer orders (23 of 28 foundation multisigs in output.json). The doc needs the same patch.

Chain-side finding (NOT a script bug — for team triage)

After the two fixes above, the pipeline runs cleanly through generate → sign × K → combine. The only remaining failure is at migrate-multisig.sh submit:

ERROR broadcast rejected at CheckTx: code=1
  raw_log=tx must have at least one signer
  (txhash=D869529F...F042520F4C72FB809AE239401F6FC42B5F5, never landed in a block)

Reproduced outside migrate-batch.sh by running migrate-multisig.sh submit directly with a manually-prepared tx.json. The combined tx has signer_infos: [] and signatures: []. The submit-proof CLI has no --from flag (per its help text and the comment in migrate-multisig.sh line 622: "submit-proof does not take --from; authorization is in the proof bytes"). Same failure on the single-sig path via migrate-account.sh. So the SDK ante is requiring a signer that submit-proof doesn't (currently) inject.

Possible root causes (someone with chain-side context will know which):

• The MsgClaimLegacyAccount handler needs to be registered as a zero-signer message type in the ante
• submit-proof should pre-pend a fee-payer / no-op signer to satisfy the ante
• A separate sign-time flag is missing from submit-proof's flag set

Happy to file a chain-side issue once someone confirms which path is intended. The script side is unblocked — migrate-batch.sh will work correctly the moment the chain accepts the tx that migrate-multisig.sh combine produces.

What this validation proved

• ✅ report works against real production-shape data
• ✅ status correctly classifies all four real on-chain states (migrated / ready / needs-pubkey / needs-funding) — the original B2 misclassification bug is conclusively fixed
• ✅ Address reconstruction + equality assertion: catches the most dangerous correctness regression class
• ✅ Pubkey-order matching: works on real non-sequential foundation signer orderings
• ✅ Ephemeral keyring + trap-cleanup: keyrings disappeared after every run, including failed ones
• ✅ JSONL audit log: every run produced a clean, batch-id-correlated event stream
• ✅ Mainnet guard: untested but the matching test was done in the previous review round
• ✅ --funder array-form (B3): proven live by Test 6/7 — the fund step succeeds before hitting downstream issues
• ✅ --continue-on-error was honored on the failure path (no set -e leakage, batch summary always printed)

The PR is now strictly blocked by chain-side submit-proof signer issue, not by any script defect. Will iterate further once chain-side direction is confirmed.

[mateeullahmalik]

Root-cause update — submit-proof failure is in the EVM mempool, not the ante

Followed the MD verbatim end-to-end on devnet. The MD as written produces an under-signed tx (combine reports Matching-index threshold satisfied: no (0 < 2) — one-sided partials do not count), so the MD itself needs the --from flag added to the sign step. Once both halves are signed with all K signers, combine succeeds and produces the canonical zero-signer MsgClaimLegacyAccount tx — which is exactly the shape the chain's own fixture file tests/scripts/fixtures/combined-tx.json has (signer_infos: [], signatures: [], auth lives in legacy_proof.multisig.sub_signatures / new_proof.multisig.sub_signatures).

The chain SHOULD accept that tx. The dual-route ante in app/evm/ante.go clearly dispatches it to a special migrationCosmosAnte (lines 240–245) that bypasses sig verification entirely. The ante side is fine.

The failure is in the EVM-aware mempool, not the ante:

/root/go/pkg/mod/github.com/cosmos/cosmos-sdk@v0.53.6/types/mempool/priority_nonce.go:218
return fmt.Errorf("tx must have at least one signer")

ExperimentalEVMMempool (wired in app/evm_mempool.go) wraps SDK's nonce-based mempool. The mempool's Insert(tx) calls extractSenderFromTx(tx) to determine nonce ordering. That function fails CLOSED on zero-signer txs — before the migration-aware ante chain ever runs. Result: tx must have at least one signer at CheckTx, txhash returned, never lands in a block.

Repro is outside migrate-batch.sh entirely:

# Manually-prepared tx.json with signer_infos:[] + signatures:[]
lumerad tx evmigration submit-proof tx.json --chain-id lumera-devnet-1 \
  --node tcp://localhost:26667 --keyring-backend test --yes
# → tx must have at least one signer

Same failure on the single-sig path via migrate-account.sh. Same shape app/evm/ante.go says is supposed to be accepted.

Why integration tests didn't catch this

tests/integration/evmigration/migration_test.go lines 890–905 call s.msgServer.ClaimLegacyAccount(s.ctx, msg) directly — skipping CheckTx, skipping the mempool, skipping the ante chain. That's why the canonical fixture combined-tx.json (which exhibits the exact zero-signer shape that the chain rejects) has integration test coverage but no end-to-end CheckTx coverage.

What needs to change on the chain (NOT in this PR)

configureEVMMempool (app/evm_mempool.go) needs to make the EVM mempool migration-aware. Two reasonable shapes:

1. Sentinel-sender shim: when IsEVMigrationOnlyTx(tx), return a deterministic sentinel address from extractSenderFromTx so nonce ordering still works without a real signer. Cheapest fix.
2. Bypass insertion: when IsEVMigrationOnlyTx(tx), push to a separate FIFO migration queue rather than the nonce mempool. Cleaner but bigger diff.

Either way, this is a chain-side change. migrate-batch.sh and the MD are blocked on it.

Sanity check: an operator can set max-txs = -1 in app.toml to disable the app-side mempool entirely. That makes migration broadcasts succeed against a node so configured. But that requires every validator + every node operator on testnet/mainnet to change their config simultaneously, which is operationally hostile. The right fix is on the chain.

What my script status looks like now

Layer	Status
migrate-batch.sh script logic	✅ Devnet-validated through combine. All 6 SEV-1/2 bugs from this PR's review rounds + 2 devnet-found bugs (B-DEVNET-1, B-DEVNET-2) fixed.
migrate-multisig.sh ceremony	✅ Generates, signs, combines correctly. Produces the same canonical zero-signer shape as the repo's own combined-tx.json fixture.
Chain (CheckTx / mempool)	❌ Chain bug. EVM mempool rejects zero-signer migration txs before the migration-aware ante runs.
MD operator doc	⚠️ Bug: sign step needs --from in addition to --new-key, otherwise partials are one-sided and combine won't meet quorum. Also needs --nosort on keys add --multisig (B-DEVNET-2).

Will hold this PR in draft until the chain-side mempool fix lands. The script side is unblocked the moment a node with the mempool patch is reachable.

[mateeullahmalik]

Opened the chain-side fix in #167. With that merged + an rc5 cut, this batch driver can be re-validated end-to-end on devnet and flipped to ready-for-review.

#167 includes:

• Migration-aware mempool signer extractor wired into ExperimentalEVMMempool.CosmosPoolConfig + the proposal handler.
• 7 unit tests on the adapter, 2 integration tests on the real App + real ExperimentalEVMMempool (the second one literally pins the regression: the SDK default adapter returns zero signers for the same tx, which is what makes Insert reject without the fix).
• CHANGELOG + docs/migration.md callout.
• Advisory in the PR body for the 2 issues in the standalone MD (the 'sign --new-key only' pattern and the missing --nosort on keys add --multisig).

[Copilot]

Pull request overview

Adds an operator-facing batch driver for Lumera EVM migration that orchestrates many single-sig and multisig migrations in one run, reusing existing migrate-multisig.sh / migrate-account.sh logic and common helpers.

Changes:

• Introduces scripts/migrate-batch.sh with report, status, and execute subcommands plus optional JSONL audit logging.
• Adds an operator README (scripts/migrate-batch.md) describing format, workflow, and safety properties.
• Adds Bats coverage for the offline report classifier (tests/scripts/migrate-batch.bats).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 12 comments.

File	Description
scripts/migrate-batch.sh	New batch driver implementing plan parsing/classification, per-target status probing, and full execution lifecycle using an ephemeral keyring.
scripts/migrate-batch.md	Operator documentation for the batch driver workflow, flags, and safety guardrails.
tests/scripts/migrate-batch.bats	Unit tests for the offline report plan builder/classifier (no chain calls).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.